National security hawks ascendant after surveillance win

HAWKS SOAR FOLLOWING SURVEILLANCE VICTORY — National security hawks finally feel they have the wind at their backs five years after NSA contractor Edward Snowden leaked details about the government’s most secret spying programs, Cory and Martin report. Thursday’s Senate passage of a bill to reauthorize Section 702 of the Foreign Intelligence Surveillance Act for another six years marked a major victory for security-minded Republicans and centrist Democrats who less than a year ago expected unwelcome changes to the powerful spying tools. “If you look at the threat matrix today, it’s worse than it was six years ago,” Senate Intelligence Chairman Richard Burr said. “It’s more global, it’s more specific, it’s the reason that we need this program. I think more and more members realize that.”

Story Continued Below

The victory for surveillance boosters ends a trend of policy and legislative advancements that privacy advocates have notched since Snowden absconded with his cache of secret NSA documents in 2013. The theft set off a series of events that culminated in 2015 with Congress voting to end the bulk collection of Americans’ phone records, passing the USA Freedom Act over the objections of GOP leaders. “We certainly, certainly were hurt by Snowden and the information that he let out there,” said Tom Rooney (R-Fla.), who chairs the House Intelligence Committee’s NSA and cybersecurity subpanel.

The latest debate’s momentum switched several times, with revisionists in the House getting a last-minute boost from President Donald Trump when he seemingly indicated in a tweet that 702 programs had been used to spy on his staff during the 2016 election, nearly sinking the bill worked out between the House Intelligence and Judiciary committees. But it ended up as just another bump in the long road to passage. “The pendulum has actually swung,” Rep. Chris Stewart (R-Utah), who chairs the House’s defense intelligence subcommittee, said last week shortly after the lower chamber passed the legislation.

For their part, privacy advocates reject the narrative that they are starting to lose ground after years of hard-earned victories. “We were on the precipice of being able to win,” said Sen. Ron Wyden, who led an unsuccessful push in the Senate to offer an alternative bill embraced by the civil liberties community. “When the American people find out what’s in this, I’m saying, once again, they’re going to be stunned and they’re going to be angry.”

HAPPY FRIDAY and welcome to Morning Cybersecurity! The latest exhibit in the octopus being the best animal: This guy choked a dolphin to death as the dolphin tried to eat him. Send your thoughts, feedback and especially tips to tstarks@politico.com and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

TODAY: WYDEN ADVOCATES FOR BANKING CYBERSECURITY MEASURES — Sen. Ron Wyden today is asking a council of U.S. banking regulators to require greater adoption of multi-step authentication in consumer banking transactions. “As a formal interagency body with the power to create uniform standards for financial institutions, the Federal Financial Institutions Examination Council has tremendous power to protect consumers from threats to their bank accounts, lines of credit, and other investments,” Wyden wrote in a letter to Judith Dupre, executive secretary of the council.

The council recommended multi-factor authentication in 2011 guidance, but Wyden said the threat has evolved since then. “Given the seriousness of the cyber threats now faced by financial institutions and their customers, the FFIEC should update its guidance to institutions to better protect against internet-enabled banking fraud,” he wrote. “Specifically, the FFIEC should require financial institutions to utilize multi-factor authentication for consumer bank accounts, and require institutions to provide opt-in support for more advanced, phishing-resistant forms of multi-factor authentication.”

THE STATE OF DMARC— Two different cybersecurity companies arrived at different figures this week about how many federal agencies had adopted a standard to combat email spoofing. The reasons they arrived at the different figures —Agari 63 percent, Proofpoint 50 percent — are rather technical. But it boils down to each company differently measuring adoption of the standard — known as Domain-based Message Authentication, Reporting and Conformance — and both companies believe their approach provided the better results.

"We examined the full set of federal civilian domains provided by the federal government, which was a larger set of domains (200+ more), and as a result identified a higher number for which there are not DMARC records," Rob Holmes, vice president of email security products at Proofpoint, told MC via email. Proofpoint also only deemed a domain to be compliant if it met two criteria set forth in the Homeland Security Department's October directive requiring adoption of DMARC, Holmes said.

Agari says it got its list of 1,106 domains subject to the directive from DHS and that it is only monitoring domains that are "in scope." Via Fareed Bukhari, director of product marketing at Agari: "What this means is that DHS, and therefore the Agari research, is not mapping to specific domains directly, but to organizations that are federal civilian executive branch agencies, which have constantly fluctuating domains.” Bukhari said the smaller sample size "paints a more accurate picture of DMARC adoption."

— THE DHS PERSPECTIVE: DHS expects that 90 percent of federal agencies will have hit the first deadline for DMARC adoption by the end of January, according to Jeanette Manfra, assistant secretary for the office of cybersecurity and communications, speaking at an Agari-sponsored event Thursday. But, again, it’s complicated. She said: “We spend an enormous amount of time defining, what is an agency? What does that mean?” DHS is currently tracking 101 “agencies,” Manfra said.

THESE ARE A FEW OF OUR FAVORITE THINGS — The national group representing state IT officials considers simplifying cyber regulations a top priority for 2018, according to a list of goals it released Thursday. The National Association of State Chief Information Officers said it wanted to “harmonize disparate federal cybersecurity regulations and normalize the audit process.” The issue topped its “2018 Federal Advocacy Priorities” list, along with promoting the authority of CIOs in their states’ technology decision-making and protecting information that is shared with other entities. “Compliance with disparate regulations are an obstacle for state CIOs who are actively seeking savings for taxpayers through IT initiatives like consolidation/optimization,” NASCIO said in a fact sheet.

#TBT — The FTC on Thursday touted its 2017 cybersecurity work in an annual report on its privacy and data security activities. In the report, the agency pointed to settlements with computer maker Lenovo, ridesharing firm Uber and router maker D-Link over their handling of customer data and the security of their products. “Since 2002, the FTC has brought over 60 cases against companies that have engaged in unfair or deceptive practices that failed to adequately protect consumers’ personal data,” the commission noted. It also described a series of privacy workshops it held in 2017, including one focused on connected cars and another about identity theft. “The FTC’s prior work — in 2017 and long before — has prepared and positioned the agency to continue to be the leading U.S. agency on privacy and data security,” it said.

THAT’LL BUY A LOT OF SUPPORT — Booz Allen Hamilton this week won a potential five-year, $165 million contract for support planning and policy efforts at U.S. Cyber Command. The work will include things like support services for the Pentagon’s top cyber outfit, the company announced Wednesday. The massive contracts come as the Trump administration works to finally elevate U.S. Cyber Command to the same level as other prominent military units, such as Central Command, and potentially split the “dual hat” leadership structure that governs it and the NSA. The organization is expected to reach full operational capability at the end of the 2018 fiscal year.

RECENTLY ON PRO CYBERSECURITY — Russia-based Kaspersky Lab expanded its argument in a new court filing about why the Homeland Security Department shouldn’t be able to ban its products from federal networks. … Schneider Electric, a major manufacturer of industrial control equipment, “revealed chilling details today about how a new kind of malware infected one of its customers’ vital safety systems.” … Lebanese government-linked hackers staged a massive, global campaign to steal data, according to research from Lookout and the Electronic Frontier Foundation.

The House passed a stopgap spending bill while Senate opened debate on it. … “Republicans authorize sharing of classified report on FBI, DOJ officials' conduct.” … The Senate Judiciary Committee advanced the nomination of Brian Benczkowski to lead the Justice Department’s Criminal Division. … A ransomware attack took down some applications from electronic health records vendor Allscripts. … A bipartisan group of lawmakers filed a brief in support of Microsoft in its legal fight against the federal government over whether it can demand data stored overseas.

About The Author

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.